CVE-2024-2857

MEDIUM Year: 2024
CVSS v3 Score
6.1
Medium
Weakness Type
CWE-352
View all →

Vulnerability Description

The Simple Buttons Creator WordPress plugin through 1.04 does not have any authorisation as well as CSRF in its add button function, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins.

Related Vulnerabilities

CVE-2016-10865

MEDIUM
CVSS:6.1(Medium)

The Lightbox Plus Colorbox plugin through 2.7.2 for WordPress has cross-site request forgery (CSRF) via wp-admin/admin.php?page=lightboxplus, as demonstrated by resultant width XSS.

CWE-3522016

CVE-2016-11084

MEDIUM
CVSS:6.1(Medium)

An issue was discovered in Mattermost Server before 2.1.0. It allows XSS via CSRF.

CWE-3522016

CVE-2016-6158

MEDIUM
CVSS:6.1(Medium)

Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei WS331a routers with software before WS331a-10 V100R001C01B112 allow remote attackers to hijack the authentication of administrators...

CWE-3522016

CVE-2016-6642

MEDIUM
CVSS:6.1(Medium)

Cross-site request forgery (CSRF) vulnerability in EMC ViPR SRM before 3.7.2 allows remote attackers to hijack the authentication of administrators for requests that upload files.

CWE-3522016

CVE-2018-0444

MEDIUM
CVSS:6.1(Medium)

A vulnerability in the web-based management interface of Cisco Packaged Contact Center Enterprise could allow an unauthenticated, remote attacker to conduct a stored XSS attack against a user of the i...

CWE-3522018

CVE-2018-1432

MEDIUM
CVSS:6.1(Medium)

IBM InfoSphere Information Server 9.1, 11.3, 11.5, and 11.7 is vulnerable to cross-frame scripting which is a vulnerability that allows an attacker to load Information Server components inside an HTML...

CWE-3522018